----- Original Message -----
From: "André Warnier" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, June 05, 2008 2:54 AM
Subject: Re: Single sign on issue with Tomcat and Apache
Johnny Kewl wrote:
----- Original Message ----- From: "André Warnier" <[EMAIL PROTECTED]>
To: <users@tomcat.apache.org>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, June 05, 2008 1:06 AM
Subject: RE: Single sign on issue with Tomcat and Apache
Hi.
I saw your ongoing discussion, and maybe I can contribute something, but
I need some more info before.
Here is what you explained before :
a) You have one site "aaa.com" to which users access this way :
user -------------------------------> tomcat aaa.com
b) and another site "bbb.com" to which users access this way :
1) static content :
user ------------------------------> Apache bbb.com
2) dynamic content :
user -----> Apache ---> mod_jk ---> tomcat bbb.com
Is it really like described above ?
Yes the exact architecture would help ;)
I understand it like this
browser ------------------> Tomcat on aaa.com
browser <----------------- Tomacat delivers web pages with links to
bbb.com/image.jpg
browser -------------------> Apache on bbb.com with images and stuff
(that wont authenticate)
Reason is browser will not return auth and cookies that belong to domain
aaa.com to bbb.com
What (I think) may work is what you have indicated
user -----> Apache (bbb.com) ---> mod_jk ---> tomcat aaa.com
All links now to bbb.com and JK setup to talk to aaa.com
Images on Apache and servlet JKMounted on aaa.com
The browser will return Basic header and cookies... so I think Apache
auth modules and tomcat on SingleSignOn will work.
All assuming this can be setup and if the images are hosted remotely that
the Sp can set up JK etc.
But is webapp cannot be changed and images are hardcoded in servlet... I
think he's snookered and probably has to lose authentication on Apache.
Thats how I understand it...
Maybe?
There are too many known unknowns at the moment to propose something
precise. If there is only a single Tomcat with a single localhost Host
and two webapps, then it would simplify the domain stuff and the
SingleSignOn at that end.
The general schema I am thinking about, if .. , is
- all requests go through Apache, and from there to Tomcat or not
- Tomcat allows only calls from Apache (IP filter)
- Apache does all the authentication
- mod_jk will pass the Apache user-id to Tomcat for requests that go there
- the Apache config for Tomcat-destined links is of the kind
<Location (or LocationMatch) ..>
SetHandler Jakarta-servlet
Authentication stuff..
Require ...
</Location>
Yes, I think you right, if Apache is fronting the whole thing, then it may
as well do all the auth stuff...
This TC mailing list is great, theres a fantastic user knowledge base in
this list.
It almost like every other discipline has converged around TC.
I beginning to think you could ask any question in this group, PHP, Ruby
whatever, and it would probably get answered ;)
Thanks
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]